Certification of Minimal Approximant Bases Pascal Giorgi 1 , Vincent - - PowerPoint PPT Presentation

Certification of Minimal Approximant Bases

Pascal Giorgi 1, Vincent Neiger 2

1Universit´

e de Montpellier, France

2Universit´

e de Limoges, France

ISSAC’2018, New York, USA July 17, 2018

Approximant Bases

Let F ∈ K[X]m×n a matrix of power series truncated at order d = (d1, . . . , dn) columnwise : ∀1 ≤ j ≤ n, deg F∗,j < dj approximant of F at order d : p ∈ K[X]1×m s.t. pF = [0, . . . , 0] mod X (d1,...,dn) the set Ad(F) of all approximants of F forms a free K[X]-module of rank m [Van Barel, Bultheel 1992]. A basis P ∈ K[X]m×m of Ad(F) is called an approximant basis

Minimal Approximant Bases

Minimality row-reduced over K[X], i.e. minimal row degree among all bases P =   3x3 2x2 x + 3 x3 + 4x2 2x3 + 3x2 5x2 x3 + 6x2 + 4x 2x3 + 8x2 + 5 6x2 + 3   , rdeg(P) =   3 3 3  

Minimal Approximant Bases

Minimality row-reduced over K[X], i.e. minimal row degree among all bases P =   3x3 2x2 x + 3 x3 + 4x2 2x3 + 3x2 5x2 x3 + 6x2 + 4x 2x3 + 8x2 + 5 6x2 + 3   , rdeg(P) =   3 3 3   ⇒ row-reduction is related to the rdeg-leading matrix of P   1 1 −1 1   P = R =   3x3 2x2 x + 3 x3 + 4x2 2x3 + 3x2 5x2 2x2 + 4x 5x2 + 5 x2 + 3   , rdeg(R) =   3 3 2  

Shifted Minimal Approximant Bases

Shifted row degree (or s-row degree) degree measure for weighting the columns with a shift s = (s1, . . . , sm) rdegs(P) = rdeg(PX s) = rdeg(P    X s1 ... X sm   ) s-minimal approximant bases bases of Ad(F) that have minimal s-row degree among all bases (s-reduced)

Shifted Minimal Approximant Bases

Shifted row degree (or s-row degree) degree measure for weighting the columns with a shift s = (s1, . . . , sm) rdegs(P) = rdeg(PX s) = rdeg(P    X s1 ... X sm   ) s-minimal approximant bases bases of Ad(F) that have minimal s-row degree among all bases (s-reduced) s-Popov approximant bases (uniqueness) rdegs-leading matrix → unitary lower triangular matrix cdeg-leading matrix → identity

Algorithms for Approximant Bases

• polynomial matrix F ∈ K[X]m×n
• order d = (d1, . . . , dn) ∈ Zn

>0 with D = |d| = j dj

• shift s ∈ Zm

Best known algorithms to date cost in O˜(mωD/m) = O˜(mω−1D)

minimal bases (unique order, no shift)

[G., Jeannerod, Villard ISSAC’03]

s-minimal bases (unique order, small shifts)

[Zhou, Labahn ISSAC’12]

s-Popov bases (all orders/shifts)

[Jeannerod et al. ISSAC’16]

Algorithms for Approximant Bases

• polynomial matrix F ∈ K[X]m×n
• order d = (d1, . . . , dn) ∈ Zn

>0 with D = |d| = j dj

• shift s ∈ Zm

Best known algorithms to date cost in O˜(mωD/m) = O˜(mω−1D)

minimal bases (unique order, no shift)

[G., Jeannerod, Villard ISSAC’03]

s-minimal bases (unique order, small shifts)

[Zhou, Labahn ISSAC’12]

s-Popov bases (all orders/shifts)

[Jeannerod et al. ISSAC’16]

These are deterministic non-optimal algorithms, i.e. Size(F) = mD when delegating computation → hope for faster verification

Verifying outsourced computation

Verifier Prover

F, x

y=F (x), proof

generating the proof must be negiglible verifying the proof must be easier than computing F (x) → different models : interactive or static

Verifying outsourced computation

Verifier Prover

F, x

y=F (x), proof

generating the proof must be negiglible verifying the proof must be easier than computing F (x) → different models : interactive or static Sometimes the proof is unnecessary : → Freivalds’ verification of matrix mul. (uA)B = uC

Certifying linear algebra

Generic approaches exist Interactive proof for boolean circuits [Goldwasser, Kalai, Rothblum ’08 ; Thaler ’13] matrix mul. reduction → rerun with Freivalds [Kaltofen, Nehrig, Saunders ISSAC’11] ✗ prover or verifier time might not be optimal

Certifying linear algebra

Generic approaches exist Interactive proof for boolean circuits [Goldwasser, Kalai, Rothblum ’08 ; Thaler ’13] matrix mul. reduction → rerun with Freivalds [Kaltofen, Nehrig, Saunders ISSAC’11] ✗ prover or verifier time might not be optimal Optimal ad’hoc verifications exist [Dumas,Kaltofen ISSAC’14] ✓ prover and verifier time can be “optimal” ✓ independent of the circuit (certifying result rather than execution)

Certifying linear algebra

Generic approaches exist Interactive proof for boolean circuits [Goldwasser, Kalai, Rothblum ’08 ; Thaler ’13] matrix mul. reduction → rerun with Freivalds [Kaltofen, Nehrig, Saunders ISSAC’11] ✗ prover or verifier time might not be optimal Optimal ad’hoc verifications exist [Dumas,Kaltofen ISSAC’14] ✓ prover and verifier time can be “optimal” ✓ independent of the circuit (certifying result rather than execution) How to optimally certify/verify approximant bases ?

Main result

Given P a s-minimal basis of Ad(F) with Size(P) = O(mD) Static proof for s-minimal approximant bases additional effort :O(mω−1D) prover Monte Carlo verification : O(mD + mω−1(m + n)) verifier probability of error ≤

D #S for S ⊂ K.

⇒ almost optimal certificate (D ≫ m2 often the case in practice) ⇒ total prover time remains in O˜(mω−1D)

Main result

Given P a s-minimal basis of Ad(F) with Size(P) = O(mD) Size(P) = O(mD) not in general ⇒ but bases computed by best known algorithms have such property |rdeg(P)| ∈ O(D)

[Van Barel, Bultheel ’92 ; Zhou, Labahn ISSAC’12]

|cdeg(P)| ≤ D (s-Popov)

[Jeannerod et al. ISSAC’16]

How to certify approximant basis

1

Minimal : P is s-reduced

2

Approximant : PF = 0 mod X (d1,...,dn)

3

Basis : rows of P generate Ad(F)

How to certify approximant basis

1

Minimal : P is s-reduced This amounts to check non-singularity of the rdegs-leading matrix of P ⇒ can be done at a cost O(mω)

How to certify approximant basis

2

Approximant : PF = 0 mod X (d1,...,dn) not trivial → computing PF mod X (d1,...,dn) costs O˜(mω−1D).

How to certify approximant basis

2

Approximant : PF = 0 mod X (d1,...,dn) not trivial → computing PF mod X (d1,...,dn) costs O˜(mω−1D). Proposition : Freivalds + [G. ’18] verify PF = G mod X (d1,...,dn) at optimal cost O(mD)

How to certify approximant basis

2

Approximant : PF = 0 mod X (d1,...,dn) not trivial → computing PF mod X (d1,...,dn) costs O˜(mω−1D). Proposition : Freivalds + [G. ’18] verify PF = G mod X (d1,...,dn) at optimal cost O(mD) check (uP)F = uG mod X (d1,...,dn) for a random vector u

How to certify approximant basis

2

Approximant : PF = 0 mod X (d1,...,dn) not trivial → computing PF mod X (d1,...,dn) costs O˜(mω−1D). Proposition : Freivalds + [G. ’18] verify PF = G mod X (d1,...,dn) at optimal cost O(mD) check (uP)F = uG mod X (d1,...,dn) for a random vector u check for a random α ∈ S ⊂ K, δ = max (d1, . . . , dn) that

• 1 α . . . αδ−1

     uP0 uP1 ... . . . ... ... uPδ−1 . . . uP1 uP0          F0 F1 . . . Fδ−1     =

• 1 α . . . αδ−1

    uG0 uG1 . . . uGδ−1    

How to certify approximant basis

2

Approximant : PF = 0 mod X (d1,...,dn) not trivial → computing PF mod X (d1,...,dn) costs O˜(mω−1D). Proposition : Freivalds + [G. ’18] verify PF = G mod X (d1,...,dn) at optimal cost O(mD) check (uP)F = uG mod X (d1,...,dn) for a random vector u check for a random α ∈ S ⊂ K, δ = max (d1, . . . , dn) that

• 1 α . . . αδ−1

     uP0 uP1 ... . . . ... ... uPδ−1 . . . uP1 uP0          F0 F1 . . . Fδ−1     = uG(α)

How to certify approximant basis

2

Approximant : PF = 0 mod X (d1,...,dn) not trivial → computing PF mod X (d1,...,dn) costs O˜(mω−1D). Proposition : Freivalds + [G. ’18] verify PF = G mod X (d1,...,dn) at optimal cost O(mD) check (uP)F = uG mod X (d1,...,dn) for a random vector u check for a random α ∈ S ⊂ K, δ = max (d1, . . . , dn) that

• uP(α) . . . αδ−ju(P rem X j)(α) . . . αδ−1uP0
• 

   F0 F1 . . . Fδ−1     = uG(α) Horner’s intermediate values for αδ−1rev(uP) on X = α−1

How to certify approximant basis

3

Basis : rows of P generate Ad(F)

How to certify approximant basis

3

Basis : rows of P generate Ad(F) Proposed lemma rows of P generate Ad(F) if and only if PF = 0 mod X d det(P) = X δ for 0 < δ ≤ D

[Beckermann, Labahn ’97]

the matrix

• P(0)

C

• ∈ Km×(m+n) has full rank, where

C = PFX −d mod X (our certificate)

How to certify approximant basis

3

Basis : rows of P generate Ad(F) Proposed lemma rows of P generate Ad(F) if and only if PF = 0 mod X d det(P) = X δ for 0 < δ ≤ D

[Beckermann, Labahn ’97]

the matrix

• P(0)

C

• ∈ Km×(m+n) has full rank, where

C = PFX −d mod X (our certificate) Idea of proof : Ad(F) ≃ ker( F −X d

• )

PF = 0 mod X d ⇐ ⇒

• P

PFX −d F −X d

• = 0

Our protocol for certifying approximant bases

Prover (compute)

1

compute P a s-minimal basis of Ad(F)

2

compute C = PFX −d mod X ⇒ send (P, C) to the verifier O˜(mω−1D) ֒ → O˜(mω−1D) ? ? ? Verifier (check)

1

non-singularity of leadmatrdegs(P)

2

full rank of

• P(0)

C

• 3

det(P(α)) = det(P(1))α|rdegs(P)|−|s| with α random in S ⊂ K

4

PF = CX d mod X (d1+1,...,dn+1) O(mD + mω−1(m + n)) ֒ → O(mω) ֒ → O(mω−1n) ֒ → O(mD + mω) ֒ → O(mD)

How to efficiently generate the certificate

Compute C as the term of degree 0 in PFX −d : → goal : no more than O˜(mω−1D) Easy when n = m and d = (D/m, . . . , D/m), C =

D/m

• k=1

PkFD/m−k ⇒ this costs at most D/m · O(mω) = O(mω−1D)

How to efficiently generate the certificate

Taking care of unbalanced degrees d = (d1, . . . , dn), with D = |d| = dj all columns in F cannot have large degree, i.e. |cdeg(F)| = D same remark on the rows of P when |rdeg(P)| = O(D) 1

• 1. similar idea with |cdeg(P)| ≤ D

How to efficiently generate the certificate

Taking care of unbalanced degrees d = (d1, . . . , dn), with D = |d| = dj all columns in F cannot have large degree, i.e. |cdeg(F)| = D same remark on the rows of P when |rdeg(P)| = O(D) 1 Extracting non-zero values according to the degrees # of rows in P with degree ≥ k is no more than D/k # of columns in F with degree ≥ k is no more than D/k C =

max(d)

• k=1

P∗

k F ∗ d−k

• ∀k < D/m each product costs O(mω)
• ∀k ≥ D/m each product costs O((D/k)ω−1m)

Total cost in O(mω−1D)

• 1. similar idea with |cdeg(P)| ≤ D

Our protocol for certifying approximant bases

Prover

1

compute P a s-minimal basis of Ad(F)

2

compute C = PFX −d mod X ⇒ send (P, C) to the verifier O˜(mω−1D) ֒ → O˜(mω−1D) ֒ → O(mω−1D) Verifier

1

check non-singularity of leadmatrdegs(P)

2

check full rank of

• P(0)

C

• 3

check det(P(α)) = det(P(1))α|rdegs(P)|−|s| with α random in S ⊂ K

4

check PF = CX d mod X (d1+1,...,dn+1) O(mD + mω−1(m + n)) ֒ → O(mω) ֒ → O(mω−1n) ֒ → O(mD + mω) ֒ → O(mD)

Conclusion

Almost optimal non-interactive certificate negligeable overhead for the Prover, only O(mω−1D) verification time in O(mD) + checking rank/det over K probability of error ≤ D

S for S ⊂ K [Freivalds ; Schwartz, Zippel]

certificate space is small, i.e. O(mn)

Conclusion

Almost optimal non-interactive certificate negligeable overhead for the Prover, only O(mω−1D) verification time in O(mD) + checking rank/det over K probability of error ≤ D

S for S ⊂ K [Freivalds ; Schwartz, Zippel]

certificate space is small, i.e. O(mn) Remark turn “easily” into optimal interactive protocol by [Dumas, Kaltofen ISSAC’14] a LinBox’s implementation should be available soon

Thank You

Certificate : sketch of proof

[Zhou, Labahn ISSAC’13, Neiger’s PhD ’16]

Ad(F) ≃ ker( F −X d

• )

PF = 0 mod X d ⇐ ⇒

• P

Q F −X d

• = 0

Column image of kernel bases : ker( F −X d

• ) =
• 0m×n

Im

• V with V ∈ GLm+n(K[X])

P basis : P Q = ker( F −X d

• ) =

⇒ rank( P Q ) = rank( P(0) Q(0) ) = m P not basis : P Q = U

• A

AFX −d with det(U) = X δ = ⇒ rank( P(0) Q(0) ) < m

Verifying truncated polynomial matrix product

The polynomial case [G. ’18] Let A = a0 + a1X + · · · + ak−1X k−1 and B = b0 + b1X + · · · + bk−1X k−1, sampling random value X = α in C = AB mod X k corresponds to :

• 1 α . . . αk−1

     a0 a1 ... . . . ... ... ak−1 . . . a1 a0          b0 b1 . . . bk−1     =

• 1 α . . . αk−1

   c0 c1 . . . ck−1   

Verifying truncated polynomial matrix product

The polynomial case [G. ’18] Let A = a0 + a1X + · · · + ak−1X k−1 and B = b0 + b1X + · · · + bk−1X k−1, sampling random value X = α in C = AB mod X k corresponds to :

• 1 α . . . αk−1

     a0 a1 ... . . . ... ... ak−1 . . . a1 a0          b0 b1 . . . bk−1     = C(α)

Verifying truncated polynomial matrix product

The polynomial case [G. ’18] Let A = a0 + a1X + · · · + ak−1X k−1 and B = b0 + b1X + · · · + bk−1X k−1, sampling random value X = α in C = AB mod X k corresponds to :

• A(α) . . . αk−j(A rem X j)(α) . . . αk−1a0
• 

   b0 b1 . . . bk     = C(α)

Verifying truncated polynomial matrix product

The polynomial case [G. ’18] Let A = a0 + a1X + · · · + ak−1X k−1 and B = b0 + b1X + · · · + bk−1X k−1, sampling random value X = α in C = AB mod X k corresponds to :

• A(α) . . . αk−j(A rem X j)(α) . . . αk−1a0
• 

   b0 b1 . . . bk     = C(α) ⇒ verification in O(k) using Horner’s algo. on αk−1rev(A) with X = α−1 ⇒ proba error <

k #S for S ⊂ K [Schwartz, Zippel ’79]

Verifying truncated polynomial matrix product

The polynomial matrix case Let P ∈ K[X]m×m, F, G ∈ K[X]m×n, t = (t1, . . . , tn) and δ = max(t) How to check PF = G mod X t ?

1

shrink matrix row dimension a la Freidvalds, random u ∈ K1×m → p = uP ∈ K[x]1×m and g = uG ∈ K[X]1×n

2

apply idea of [G. ’18] with vector/matrix

• 1 α . . . αδ−1

     p0 p1 ... . . . ... ... pδ−1 . . . p1 p0          F0 F1 . . . Fδ−1     = g(α)

Verifying truncated polynomial matrix product

The polynomial matrix case Let P ∈ K[X]m×m, F, G ∈ K[X]m×n, t = (t1, . . . , tn) and δ = max(t) How to check PF = G mod X t ?

1

shrink matrix row dimension a la Freidvalds, random u ∈ K1×m → p = uP ∈ K[x]1×m and g = uG ∈ K[X]1×n

2

apply idea of [G. ’18] with vector/matrix

• p(α) . . . αδ−j(p rem X j)(α) . . . αδ−1p0
• ∈K1×mδ

    F0 F1 . . . Fδ−1     = g(α)

Verifying truncated polynomial matrix product

The polynomial matrix case Let P ∈ K[X]m×m, F, G ∈ K[X]m×n, t = (t1, . . . , tn) and δ = max(t) How to check PF = G mod X t ?

1

shrink matrix row dimension a la Freidvalds, random u ∈ K1×m → p = uP ∈ K[x]1×m and g = uG ∈ K[X]1×n

2

apply idea of [G. ’18] with vector/matrix

• p(α) . . . αδ−j(p rem X j)(α) . . . αδ−1p0
• ∈K1×mδ

    F0 F1 . . . Fδ−1     = g(α) ⇒ verification in O(size(P) + m ti) ⇒ proba error <

δ #S for S ⊂ K